authenticate() test for locked/disabled accounts regardless of password match

Description

Locked or disabled accounts should always show the same error message regardless of whether the password is a match to avoid brute force/enumeration

Environment

None

Assignee

Unassigned

Reporter

Justin Carter

Labels

None

Fix versions

Affects versions

Priority

Major
Configure